On Fri, 8 Sep 2000, Declan Grady wrote:
> Hi,
> Packet Log: good-bad REJECT ppp0 PROTO=17 192.168.0.100:1173
> 194.125.2.241:53 L=79 S=0x00 I=534 F=0x0000 T=127 (#4)
>
the packet is hitting your REJECT rule at the end of your good-bad
chain - which also logs the packet. I hope your /var/log is on a big
partition cause you're going to get a /lot of these messages.
> >From my basic understanding, this is rejecting the packet which is using the
> ppp0 adapter,
> source being my client machine 192.168.0.100,
> destination being IOL's nameserver 194.125.2.241, on port 53
> (.....the rest of the stuff I have no idea)
>> The relevant sections of my ipchains script is below
>> I assume it is as simple as Accepting packets for a specific port number on
> the 2 IOL DNS servers at 194.125.2.240 and 194.125.2.241 ?
>
no.. you have 2 rules to catch tcp and DNS traffic. However your rules
match when the /source/ port is domain. ie your rule matches:
packet from 192.168.0.100:domain going out
but not:
packet from 192.168.0.100 going to any:domain.
the latter is probably more what you wanted. i think rather you
want to allow any packets going /to/ domain. see below..
> Also... This begs the question ... should I run a caching nameserver on the
> linux box as well, bearing in mind I only want it as a barrier between the
> lan and the big bad world outside.
>
you probably should. and while you're it you can create a domain for
yourself private to your LAN, eg declangrady.ie (make sure it doesn't
exist). but if you install BIND keep up to date with security on it.
if you install BIND then you will probably have to allow /all/
outbound traffic with dest port == domain.
>> My IPCHAINS rules....
>>> # LAN to outside world
> ipchains -A forward -s 192.168.0.0/24 -i ppp0 -j good-bad -l
>
this logs everything... for debugging i take it?
> # ICMP Logic
> ipchains -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
> ipchains -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
> ipchains -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
> ipchains -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT
>> # Allow LAN to outside world for www, ftp, ping, domain
> # and reject, and log all others
> # 08-09-00 - Try domain from static 192.168.0.100 both tcp and udp ?
> # (Extracted from IPCHIANS-HOWTO)
>> ipchains -A good-bad -p tcp ! -y -s 192.168.0.100 domain -j ACCEPT
> ipchians -A good-bad -p udp -s 192.168.0.100 domain -j ACCEPT
>
if you want to query IOL DNS from your private clients then try this
instead:
ipchains -A good-bad -p tcp ! -y -s 0/0 -d <iol ns> domain -j ACCEPT
and similar for udp.
> ipchains -A good-bad -p tcp --dport www -j MASQ
> ipchains -A good-bad -p tcp --dport ftp -j MASQ
> ipchains -A good-bad -p icmp --icmp-type ping -j MASQ
> ipchains -A good-bad -j REJECT -l
>
--paulj
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
